We are happy to confirm that the intermittent connectivity issues affecting SoCast client websites, mobile apps, and APIs have been fully resolved as of this morning. Transparency is a priority for us, so we want to take a moment to explain exactly what happened over the past week, why the disruption was difficult to diagnose, and the steps we took to secure the platform.
What Happened?
After a thorough investigation, our engineering team discovered that our platform was the target of a specific type of cyber-attack known as a “Slowloris” DDoS attack.
Imagine you are running a contest on your station’s request line. A typical DDoS attack is like thousands of people trying to call at once, jamming the switchboard. Those are loud, obvious, and easy to spot. A “Slowloris” attack is different. Imagine instead that 50 people call your request line. But rather than asking for a song or hanging up, they just stay on the line. They breathe slowly, say a word every few minutes, and refuse to hang up. They aren’t shouting, but they are hogging every single available phone line so that your real listeners get a busy signal.
That is what happened to our servers. The attackers opened connections to our websites and apps and kept them open as long as possible, preventing legitimate listeners and users from getting through.
Because a Slowloris attack doesn’t flood the network with a massive amount of traffic, it allows the attackers to “blend in.” To our automated security monitors, these connections didn’t look like hackers; they looked like regular users with a slightly slow internet connection. It took a deep-dive investigation to realize these weren’t real listeners, but rather a coordinated attempt to clog the system.
The Resolution
Once we identified the pattern, we were able to isolate the “prank callers.” We have identified the specific ranges of IP addresses responsible for the attack and have permanently banned them from accessing our network.
We want to be clear on a few specific points regarding the integrity of your station’s platform:
- No Data Was Compromised: This attack was strictly about blocking access (blocking the “phone lines”). At no point was any listener data, station data, or internal information accessed or stolen.
- Unrelated to Upgrades: We confirmed that this event was not related to our recent infrastructure upgrades.
- Back End Stability: You may have noticed that while the public-facing sites were having trouble, the back-end (where you manage content) remained largely unaffected.
Moving Forward
We are currently operating with heightened monitoring to ensure these specific attackers cannot return. We apologize for the frustration this caused your teams and your listeners, and we appreciate your patience while we cleared the lines.
Comments